Weird Apache Access Logs

apache-2.2logging

I see repeated requests like these in my Apache Access Logs and they have been eating up all my CPU.

I have a normal WordPress installation. All i changed in the Apache Configuration was changing the DocumentRoot from /var/www/html to /var/www for both ssl and the default configuration.

Also, the file referenced in the requests(updatedll.jpeg) does not exist on my server and also isn't referenced in the source code served by any page of the web application.

Could this be a security threat? What are these actually and what can i do to stop them.

I changed the ip address of my server. They still kept coming. Meaning that somebody is actually hitting the domain name and not the ip address.

Why does my server send a 301 for these requests? Shouldn't it be sending a 404? Is it because WordPress is installed in my root directory and the .htaccess file present for WordPress is sending a 301 redirect?

My disk access logs also seem to have high peaks intermittently. But nobody is actually accessing the site. I see no access logs except these below.

Also, i see that all the requests seem to be coming from one of the following 5 ip addresses.

201.4.132.43 - - [05/Jun/2014:07:35:08 -0400] "GET /updatedll.jpg HTTP/1.1" 301 465 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; BTRS103681; GTB7.5; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; AskTbATU3/5.15.29.67612; BRI/2)"

187.40.241.48 - - [05/Jun/2014:07:35:08 -0400] "GET /updatedll.jpg HTTP/1.1" 301 465 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

186.56.134.132 - - [05/Jun/2014:07:35:10 -0400] "GET /updatedll.jpg HTTP/1.0" 301 428 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

71.223.252.14 - - [05/Jun/2014:07:35:13 -0400] "GET /updatedll.jpg HTTP/1.1" 301 465 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; BTRS31756; GTB7.5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; InfoPath.2)"

85.245.229.167 - - [05/Jun/2014:07:35:14 -0400] "GET /updatedll.jpg HTTP/1.1" 301 465 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; MAAU; .NET4.0C; BRI/2; .NET4.0E; MAAU)"

UPDATE

Appears to be 32 distinct IP Addresses which seem to be hitting my server now.

Also, the output of command "ngrep 'GET /updatedll.jpg' port 80" is given below:

T 75.172.162.70:1616 -> 162.243.34.213:80 [AP]
  GET /updatedll.jpg HTTP/1.1..Accept: */*..Accept-Encoding: gzip, deflate..U
  ser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; 
  BTRS31756; GTB7.5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506
  .2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; InfoPath.2)..Connection: Kee
  p-Alive..Host: www.reinventweb.com....                                     
###############
T 85.245.0.83:65166 -> 162.243.34.213:80 [AP]
  GET /updatedll.jpg HTTP/1.1..Accept: */*..UA-CPU: x86..Accept-Encoding: gzi
  p, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 
  GTB7.5; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; 
  .NET CLR 3.5.21022)..Host: reinventweb.com..Connection: Keep-Alive....     
######

Best Answer

A search on Google for the filename reveals a few copies of your logfile and just one other hit, which appears to be an upload log from some service. You should be able to tell if that log is related to your site, I am not.

None of those five IP addresses show up in that upload log, so that doesn't tell us much. The filenames in the upload log looks legit to me. Whether the content of those files matches their names is impossible to say, without knowing the contents.

What might originally have been in a file named updatedll.jpg? I am guessing somebody took a screenshot of how to update some dll and uploaded it to a service in order to share it with others. The sharing probably did not happen on a public webforum, because then I would have found more hits for it.

Why does somebody think the file resides on your host? I don't know. I find it useful to include \"%{Host}i\" in the Apache LogFormat.

As for the status code, you can first try to access the filename yourself to see how that looks in the logfile. If you get a different status code, something must be different between your own request for the file and theirs.

If you cannot figure out how to reproduce the exact same status code, then try to produce a packet dump of their traffic. You could use something like tcpdump -pni eth0 -s0 -Uw output.pcap 'host 201.4.132.43 || host 187.40.241.48 || host 186.56.134.132 || host 71.223.252.14 || host 85.245.229.167'

Later you can inspect the output using Wireshark to see exactly what the requests look like. Remember to use an updated version of Wireshark in case somebody is actually trying to exploit a vulnerability in Wireshark. Once you have seen the exact request, you should be able to reproduce the reply through a telnet command.

Related Topic